Debian Bug report logs - #511227
ntp: OpenSSL signature verification API misuse

version graph

Package: ntp; Maintainer for ntp is Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>; Source for ntp is src:ntp.

Reported by: Steve Kostecke <kostecke@ntp.org>

Date: Thu, 8 Jan 2009 16:57:01 UTC

Severity: normal

Found in version ntp/1:4.2.2.p4+dfsg-2

Fixed in versions 1:4.2.4p4+dfsg-8, 1:4.2.2.p4+dfsg-2etch1

Done: kurt@roeckx.be (Kurt Roeckx)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#511227; Package ntp. (Thu, 08 Jan 2009 16:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Kostecke <kostecke@ntp.org>:
New Bug report received and forwarded. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Thu, 08 Jan 2009 16:57:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Kostecke <kostecke@ntp.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ntp: OpenSSL signature verification API misuse
Date: Thu, 08 Jan 2009 11:53:42 -0500
Package: ntp
Version: 1:4.2.2.p4+dfsg-2
Severity: normal


NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly 
check the return value from the OpenSSL EVP_VerifyFinal function, which 
allows remote attackers to bypass validation of the certificate chain 
via a malformed SSL/TLS signature, a different vulnerability than 
CVE-2008-5077 and CVE-2009-0025.

http://www.ocert.org/advisories/ocert-2008-016.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0021

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-etchnhalf.1-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages ntp depends on:
ii  adduser                3.102             Add and remove users and groups
ii  libc6                  2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii  libcap1                1:1.10-14         support for getting/setting POSIX.
ii  libreadline5           5.2-2             GNU readline and history libraries
ii  libssl0.9.8            0.9.8c-4etch3     SSL shared libraries
ii  lsb-base               3.1-23.2etch1     Linux Standard Base 3.1 init scrip
ii  netbase                4.29              Basic TCP/IP networking system
ii  perl                   5.8.8-7etch6      Larry Wall's Practical Extraction 

ntp recommends no packages.

-- no debconf information




Reply sent to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility. (Thu, 08 Jan 2009 18:00:10 GMT) Full text and rfc822 format available.

Notification sent to Steve Kostecke <kostecke@ntp.org>:
Bug acknowledged by developer. (Thu, 08 Jan 2009 18:00:11 GMT) Full text and rfc822 format available.

Message #10 received at 511227-done@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Steve Kostecke <kostecke@ntp.org>, 511227-done@bugs.debian.org
Subject: Re: [pkg-ntp-maintainers] Bug#511227: ntp: OpenSSL signature verification API misuse
Date: Thu, 8 Jan 2009 18:57:02 +0100
Version: 1:4.2.4p4+dfsg-8

On Thu, Jan 08, 2009 at 11:53:42AM -0500, Steve Kostecke wrote:
> Package: ntp
> Version: 1:4.2.2.p4+dfsg-2
> Severity: normal
> 
> 
> NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly 
> check the return value from the OpenSSL EVP_VerifyFinal function, which 
> allows remote attackers to bypass validation of the certificate chain 
> via a malformed SSL/TLS signature, a different vulnerability than 
> CVE-2008-5077 and CVE-2009-0025.

I know and already fixed it in unstable in -8.  I've also provided
the security team with an update for stable.

They will properly threat that as a low priority thing.


Kurt





Bug marked as fixed in version 1:4.2.2.p4+dfsg-2etch1, send any further explanations to Steve Kostecke <kostecke@ntp.org> Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Mon, 12 Jan 2009 21:06:09 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 10 Feb 2009 07:28:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:59:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.